GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU

27 November 2018

International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies. Our previous blog on this topic confirmed that, following Brexit, the UK will be a ‘third country’ for the purposes of international transfers of data under the GDPR, which could have serious implications on the practicalities of legally transferring personal data from the EU to the UK.  This blog updates the position and examines the possible outcomes of the on-going Brexit negotiations on the transfer of personal data from the EU to the UK. 


On 14 November 2018, the UK government published a draft withdrawal agreement (governing the terms of the UK’s departure from the EU), Article 71(1) of which anticipates a transition period for the continued application of EU data protection law (i.e. the GDPR) for the processing of the personal data of individuals resident outside the UK, provided that the personal data: (a) was processed under EU law in the UK before the end of the transition period; or (b) is processed in the UK after the end of the transition period on the basis of the withdrawal agreement.  However, the continued application of EU data protection law merely affirms the current position that personal data may only be transferred to third countries (such as the UK after Brexit) if the European Commission (the “Commission”) has provided that country with an adequacy decision or, in the absence of an adequacy decision, either certain safeguards are adopted in relation to the transfer or a specific derogation can be relied upon (see our previous blog for more details).    

Fortunately, according to Article 71(2), the transitional arrangements referred to above will fall away if the Commission makes an adequacy decision essentially affirming that the UK’s processing of personal data provides a satisfactory level of protection to EU-based individuals. This would mean there is no need for reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK, which will result in minimal disruption to business continuity. However, it’s worth noting that adoption of the draft withdrawal agreement by the UK Parliament and EU leaders does not guarantee the provision of an adequacy decision for the UK, although it would seem to be in all parties’ interests for the Commission to implement an adequacy decision in the event of the UK and the EU striking a Brexit deal.    

Even if the UK receives an adequacy decision, the draft withdrawal agreement reminds us that it is not permanent and could be repealed by the EU after one of its periodic reviews of the UK’s data protection laws post-Brexit. If an adequacy decision ceased to apply for any reason then Article 71(3) requires the UK to “ensure a level of protection of personal data essentially equivalent to that under EU law…” Onerous as this may seem, it is not a commitment for the UK to maintain and apply the GDPR (which is currently incorporated into domestic law, irrespective of Brexit, by the Data Protection Act 2018), rather we will have some discretion as to how we implement data protection law albeit curtailed to some extent by the withdrawal agreement. However, irrespective of how we tinker with our domestic data protection law, the absence of an adequacy decision for the UK means reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK which, as you will note below, is as good as having no deal in place!

No deal

On 25 November 2018, a summit of EU leaders unanimously approved the terms of the draft withdrawal agreement. However, if the UK Parliament fails to approve the draft withdrawal agreement, resulting in a no deal Brexit, the Commission has expressly stated that the adoption of an adequacy decision is not part of its contingency planning.  EU member states do not have the power to unilaterally grant adequacy decisions to third countries as approval from representatives of all EU member states is required. This effectively rules out the possibility of the UK concluding bilateral agreements with member states on the international transfer of personal data where EU law applies.

A no deal Brexit therefore suggests an extended period of reliance on the safeguards and derogations referred to above in order to legally transfer personal data from the EU to the UK. As you will note from our previous blog, reliance on these measures to govern all transfers of personal data from the EU to the UK is likely to be cumbersome in practice, partly given the rigid nature of the Standard Contractual Clauses (SCCs) (in so far as they must be adopted entirely and without amendment to their legal effect) and the magnitude of the task presented by establishing legally sound Binding Corporate Rules from a time and resource perspective. Also noteworthy is that the validity of SCCs is under consideration by the European Court of Justice as questions have arisen over whether they satisfy the standards of care required by the more recent GDPR.


What you can do now

It’s currently unclear as to whether the UK Parliament will approve the draft withdrawal agreement (and early signs are certainly not positive) and, even if it is approved, we will need to wait and see if the UK will receive an adequacy decision during the transitional period of Brexit. The only certainty we have at this point is that a no deal Brexit means reliance on the safeguards and derogations in order to legally transfer personal data from the EU to the UK. If your business is reliant upon such data transfers from the EU, it would be advisable to consider putting in place contingency plans for a no deal Brexit by preparing for the use of appropriate safeguards and/or derogations. 

Should you have any Brexit, GDPR or data protection queries, please contact our Data Protection team.

Brexit Bulletin Board

Brexit Bulletin Board

Flying visits? Challenges for UK lawyers working in the EU post Brexit

In this webinar series, Ilda de Sousa, Partner in our Immigration Team discusses the challenges that a post no deal Brexit will have on UK based lawyers working in France, Italy, Ireland, Netherlands, Belgium, Spain and Luxembourg.

Watch the webinar series

The European Immigration Webinar Series

Marcia Longdon, Partner in our Immigration Team, speaks to immigration experts from France, Spain, Germany and Italy about the changes in immigration law for UK nationals.

Watch the webinar series

The UK left the EU on Friday 31 January 2020

After leaving the EU on 31 January 2020, the UK is now in a transition period. We discuss what this means for people moving to and from the UK, and what the UK's immigration system may look like after the transition period. 31 January 2020


As the UK leaves the EU, what happens next from an immigration perspective?

As the UK will leave the EU tonight at 11pm when we'll move into a transition period, Kim Vowden discusses what happens next for EU citizens arriving in the UK or those thinking of moving here. 31 January 2020


Brexit and EU citizens in the UK

A simple chart showing what will happen to EU citizens living in the UK if there's a deal or if there's no deal.

Brexit - What EU citizens living in the UK need to know

Read More

No-deal Brexit policy update provides some relief for employers and EU citizens

5 September 2019


The EU Settlement Scheme - a guide for EU citizens living in the UK

Click here to play video

Brexit: business anxiety over freedom of movement U-turn

20 August 2019


Handle with care: why it’s time to treat EU nationals responsibly

30 August 2019


Glitches in the EU Settlement Scheme

5 August 2019

Read more

The suspension of parliament increases legal scrutiny of Brexit – and possibly a public inquiry?

29 August 2019

Read more

Kingsley Napley's immigration team sponsors Financial and Professional Services Post-Brexit Immigration Briefing

9 May 2019


Post-Brexit data sharing with EU regulators is key for FCA policing market abuse

1 February 2019

Read News Item

No-deal Brexit: transitional arrangements for EEA nationals arriving after 29 March 2019

29 January 2019


No deal Brexit: what this would mean for extradition?

23 January 2019

Rebecca Niblock blogs

Mutual trust remains until we leave: notification of intention to leave the EU not an exceptional circumstance

19 September 2018

Read the blog

No-deal Brexit and the impact on patient safety

20 September 2018


Divorced, beheaded, scrutinised? SIs and Henry VIII powers under review

31 August 2018

Read the blog

Brexit: "It was not this that I promised to do"

14 August 2018

Read the blog

Brexit and the European Arrest Warrant (EAW): at least now we know what we don’t know

9 August 2018

Read the blog

Could Brexit send Geraint Thomas into a spin?

30 July 2018 - Hanging over this year’s Tour de France, at least for this British cycling fan, was the realisation that this is probably the last Tour pre-Brexit, and so there is an additional level of uncertainty about what the 2019 post-Brexit edition will look like.

Read the blog

Holiday home/Retirement planning: will Brexit wreck it?

16 July 2018 - A question you may ponder as you relax on that sunlounger in the weeks ahead is whether you need to review your arrangements for any EU based property in light of Brexit.

Read the blog

Brexit and practising rights for lawyers

9 July 2018 - Two Solicitor friends of mine recently asked me to sign their applications to register with the Law Society of Ireland. I asked them if they were thinking of moving.

Read Blog Post

#Brexit: Further clarification on the rights of EU citizens living in the UK

18 June 2018

View Tweet

Blackberries, Baking and Brexit

11 July 2018

Read Blog Post

A change of course? Pondering the future of golf in Brexit Britain

29 March 2018 - As avid golfers focus their attention on the US Masters in Augusta Georgia next month, many at the 19th Hole will be pondering the impact of Brexit on their beloved game.

Read the blog

Post-Brexit language testing for EEA qualified healthcare professionals

22 March 2018 - The House of Commons Library published a Briefing Paper on 7 March 2018 outlining the language testing requirements imposed upon healthcare professionals who qualified outside of the UK.

Read Blog Post

Brexit & Horse Racing

5 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact horse racing and all who are part of it.

Read Blog Post

Brexit & Motor Racing

21 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact motor racing and all who are part of it.

Read Blog Post

UK-EU security cooperation post #Brexit - ringing the alarm bell! | Part II of a two-part guest blog by EU Criminal Law expert Dr Debbie Sayers | #CriminalLaw

17 April 2018

View Tweet

Kim provides the facts! #stayorgo

19 March 2018

View Tweet

Beyond #Brexit: new anti-money laundering regime agreed

10 July 2018 - No sooner are we one year into the new regime under the Money Laundering Regulations 2017 than a further EU instrument has been adopted.

Read Blog Post

What Brexit means for EU employees living in the UK and their families

27 June 2016

View on YouTube

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Close Load more

Skip to content Home About Us Insights Services Contact Accessibility